headers
Peter Fairbrother | 1 Oct 2008 01:28
Picon
Favicon

Re: Tool to backup, modify and clone ePassport released

Ian Batten wrote:
> 
> On 30 Sep 2008, at 18:07, Charles Lindsey wrote:

>> I think it safe to assume that UK passports have omitted several 
>> features which a competent cryptographer would have included as a 
>> matter of course :-(.
> 
> I don't.  It'd be stunned if the design hadn't made a trip to the West 
> Country.  

You expect CESG to do more than say product X complies with a standard? 
I think you have an overly optimistic expectation of CESG's capabilities.

The subversion of the entire UK passport system would be
> rather uncool.  The passports have had the benefit of some of the best 
> physical security people in the game in the design of the paper and the 
> watermarks, so why wouldn't they be equally motivated to sort out the 
> electronic properties?

Motivation - do CESG have any such motivation?

Then there is their lack of competence, or let's see, maybe - their lack 
of competence?

I don't know how competent GCHQ are, but CESG are only good for 
certification to standards written by someone else, and not even that 
really. They simply don't know how to do secure.

And I don't think GCHQ is going to want to be involved in passport design.
(Continue reading)

Permalink | Reply | 6 comments |
headers
Peter Fairbrother | 1 Oct 2008 01:37
Picon
Favicon

Re: Phorms Ts and Cs

Ian Batten wrote:
> 
> On 30 Sep 08, at 1625, James Firth wrote:
> 
>> Ian Batten wrote:
>>
>>> The changes BT are making to Total Broadband terms and conditions are
>>> rather harder-line than we anticipated. (see below).
>>
>> You've missed out the change to clause 11, where they change "material
>> disadvantage" to "significant disadvantage" when it comes to trying to 
>> end
>> your contract early due to change in Ts & Cs:
> 
> Except if you haven't accepted the new contract.  Surely they can't 
> impose a contract which contains a new set of termination clauses, 
> without providing an opportunity to consider the new contract under the 
> old termination clauses.
> 
> Anyway, for me, it doesn't matter: my 12 month contract expired in July, 
> and BT spent last week trying to convince me to re-sign on a new 12 
> month contract.  Not unsurprisingly, I declined their kind offer, so I'm 
> on minimum termination period.

Hmmm, vote with your feet?

A few of the free ISPs offer to do the work involved in a change of ISP 
for you. I don't know how this works in regard to contracts, but some 
very-non-geeks of my acquaintance have changed with little problem 
(except the c**p service from their new "free" ISP - they will do the
(Continue reading)

Permalink | Reply | 12 comments |
headers
Peter Fairbrother | 1 Oct 2008 02:09
Picon
Favicon

Re: Tool to backup, modify and clone ePassport released

Peter Fairbrother wrote:
> Ian Batten wrote:
>>
>> On 30 Sep 2008, at 18:07, Charles Lindsey wrote:
> 
>>> I think it safe to assume that UK passports have omitted several 
>>> features which a competent cryptographer would have included as a 
>>> matter of course :-(.
>>
>> I don't.  It'd be stunned if the design hadn't made a trip to the West 
>> Country.  
> 
> You expect CESG to do more than say product X complies with a standard? 
> I think you have an overly optimistic expectation of CESG's capabilities.
> 
> The subversion of the entire UK passport system would be
>> rather uncool.  The passports have had the benefit of some of the best 
>> physical security people in the game in the design of the paper and 
>> the watermarks, so why wouldn't they be equally motivated to sort out 
>> the electronic properties?
> 
> Motivation - do CESG have any such motivation?
> 
> Then there is their lack of competence, or let's see, maybe - their lack 
> of competence?
> 
> I don't know how competent GCHQ are, but CESG are only good for 
> certification to standards written by someone else, and not even that 
> really. They simply don't know how to do secure.
>
(Continue reading)

Permalink | Reply | 5 comments |
headers
Peter Tomlinson | 1 Oct 2008 07:34
Picon

Re: Tool to backup, modify and clone ePassport released

Peter Fairbrother wrote:
> Of course, the other thing about CESG is that nobody in Gubbmint seems 
> to ask them anything, or to take any notice of what they say; so it 
> wouldn't surprise me at all if it "hadn't made a trip to the West 
> Country" -- or if it had, quite possibly no-one took any notice of 
> what they said.
 From things heard, some of them ask but they don't have to take any 
notice of the answer, and indeed there have been a number of years when 
the money to take notice was not made available. We have not yet seen 
the sea change from the top that is necessary, and some of the best 
people have either faded away from being involved, or are still in there 
but keeping their heads down (and, sadly, RIP Phil Perry, who was trying 
to help the NHS).

It is the ICO that is pushing infosec, but that doesn't lead to a 
systemic approach to it.

Peter
Permalink | Reply | 4 comments |
headers
Charles Lindsey | 1 Oct 2008 11:40
Picon
Picon

Re: sfs8 pt1

On Tue, 30 Sep 2008 21:29:22 +0100, Dave Howe <DaveHowe@...> wrote:

> first in the browser's list that the server supports, by the look of
> things - I haven't done an exhaustive test of that. I have no idea how
> to get IE (or firefox, for that matter) to reorder the list though.

I would expect the order of the browser's list to be the order in which  
the items were loaded during configuration, or else the inverse thereof.

Either way, if you remove all entries from the browser's list and then  
reload them in an order of your choosing, you should be able to achieve  
what you want.

--

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl@...      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
Permalink | Reply | 10 comments |
headers
Alexander Hanff | 1 Oct 2008 11:50

International No Click day

I am calling for an international No Click day in protest against Phorm
and other behavioural advertising/tracking companies.  See the following
URL for initial details with more to come in the next 24 hours:

https://nodpi.org/2008/10/01/boycott-tracking-and-behavioural-advertising-14th-october-2008/

There will be some images/banners created in the next 24 hours for
people to place on their web sites and social networking profiles.  If
you need any more info please contact me directly by email.

Obviously given the short time scale the more people spread the word the
better.

Regards

Alexander Hanff
Permalink | Reply | 0 comments |
headers
Charles Lindsey | 1 Oct 2008 12:02
Picon
Picon

Re: Tool to backup, modify and clone ePassport released

On Tue, 30 Sep 2008 19:21:34 +0100, Ian Batten <igb@...> wrote:

> I wouldn't be at all surprised if it were possible to place onto a  
> passport a set of information signed with a self-signed cert.  Indeed,  
> short of the passport itself embodying containing some root keys and the  
> hardware to test data against them --- which would require substantial  
> power, which isn't available --- it's hard to see how you would stop  
> this.  It's some memory.  I can load bits into it.  Why wouldn't I be  
> able to?

In a sensibly designed chip, there would be data that could be altered  
after manufacture and data that could not, with a fusible link to be  
destroyed after the unalterable data had been loaded. That data might also  
be unreadable externally, but available for the internal electronics of  
the chip to access as part of its verification procedures.

If the Bad Guys want to clone chips by altering stuff in an  
already-existing passport, then they could not do it. With the hidden  
stuff not even readable, they might not be able to do it even if they  
could lay their hands on virgn chips.
>
> The question is if that data will be seen as valid by a reader at the  
> border of (a) the issuing country (b) a country on friendly terms with  
> the issuing country and (c) an arbitrary country, and what benefit it  
> gives me.
>
> In the case of (a) the answer is clearly `no', because the data isn't  
> read anyway: the passport's serial number is extracted and the  
> photograph is retrieved from the UKPA database.
(Continue reading)

Permalink | Reply | 1 comment |
headers
signup | 1 Oct 2008 13:11
Picon

Re: Tool to backup, modify and clone ePassport released

Quoting Ian Batten <igb@...>:

[snip]

> I don't.  It'd be stunned if the design hadn't made a trip to the West
> Country.  The subversion of the entire UK passport system would be
> rather uncool.  The passports have had the benefit of some of the best
> physical security people in the game in the design of the paper and the
> watermarks, so why wouldn't they be equally motivated to sort out the
> electronic properties?

CESG were saying (at least, they said to me in 2003 / 2004) that there  
were significant problems with biometrics for ID card use.

Did they say that to anyone that matters?  Did those people listen?  I  
don't know, and I won't find out, because CESG and GCHQ are secret.

[snip]

> I think it's significant that the passport electronic stuff is driven
> by ICAO, not anyone serious.  I think it's there so you can use a
> passport as the identification at a self checkin machine, and so
> airlines can extract pre-fly information more easily.  End of.  I don't
> think it's a primary, or even a secondary, source of real ``can I cross
> borders'' authentication.
>
> ian

Advocates of national ID cards say that passports are not good enough  
to identify a person as that person.  That's a bit worrying, unless
(Continue reading)

Permalink | Reply | 1 comment |
headers
Ian Batten | 1 Oct 2008 14:01

Re: Tool to backup, modify and clone ePassport released

>
>> would stop this.  It's some memory.  I can load bits into it.  Why
>> wouldn't I be able to?
>
> First of all the data should only be readable by people who are
> authorized to read them.

What's the definition of `authorized'?  I would argue that anyone to  
whom I show my passport is authorized, because the data belongs to me  
and I can authorize whoever I like to read it.

The ICAO scheme, as I understand it, is that the data on the RFID chip  
doesn't include the passport serial number, which is used as an  
encryption key.  So the intent is that the contents of the chip are  
readable to anyone who can read the data page of an open passport (old  
blue British passports have the serial number on the front cover, but  
that's not at all common these days).

Now there are some objections one might raise about the lack of  
entropy in passport serial numbers, but the intent --- that  
authorization remains with the holder of the passport --- is the right  
one.  What did you have in mind as `authorized'?
>

> Not anyone with any kind of rfid reader
> without any kind of authentication.

I think it's perfectly right that I should be able to use an RFID  
reader to extract data from my passport, and my children's passports.   
If there were hidden data there which require magic keys not in
(Continue reading)

Permalink | Reply | 25 comments |

Gmane